Re: FWSM not allowing hosts communication on same interface

abdulrasheeth · ‎07-28-2011

Hi Experts,

I have an FWSM configured which has communication between hosts on the inside interface(10.101.101.254). The inside host 10.101.101.10 with default gateway as FWSM is trying to communicate with another internal host 192.168.200.6 (different vlan).

FWSM has,

1. routes to all internal networks.

2. NAT exempt using nat 0 command for all internal networks.

3. same-security-traffic permit intra-interface.

4. ACL on inside interface permitting any any.

I am able to ping the internal hosts each other, but other ports are not communicating.

Please me if i missed some configuration.

Hans Blink · ‎07-28-2011

Hi Abdulrasheeth,

I'am not expert but I have a good experiences in FWSM. Maybe I can help you.

Is your switch knows networks 10.101.101.0 and 192.168.200.0 as connected networks ?

Can you show your config ?

regards,

abdulrasheeth · ‎07-28-2011

Hi Blink,

Thanks for your response...

10.101.101.0 is direclty connected, but 192.168.200.0 is 1 hop away in the internal network.

Below are the config...

!
interface Vlan101
nameif inside
security-level 100
ip address 10.101.101.254 255.255.255.0
!
interface Vlan666
nameif MSFC
security-level 0
ip address 10.100.100.253 255.255.255.252
!

access-list outside_acess_in extended permit icmp any any

access-list inside_access_out extended permit ip any any

nat (inside) 0 10.101.101.0 255.255.255.0

nat (inside) 0 192.168.200.0 255.255.255.0
access-group inside_access_out in interface inside

access-group inside_access_out out interface inside
access-group outside_acess_in in interface MSFC

route inside 0.0.0.0 0.0.0.0 10.101.101.250 -------- default gateway to internal core switch---------

same-security-traffic permit intra-interface

!

----------------------------------------------------------------------

I am able to ping from inside host 10.101.101.10 to another inside host 192.168.200.6, but other ports are not opening. E.g i can't telnet from 10.101.101.10 to 192.168.200.6 on port 1433(SQL server). When i bypass the firewall, all ports are working...

Awaiting your reply...

Thanks in advance.

Jon Marshall · ‎07-29-2011

Can you explain topology a bit more.

10.101.101.250 is the default-gateway. What is that device ie. is it a 6500 ?

Where does the MSFC (in your config) sit in relation to your default-gateway ?

Jon

abdulrasheeth · ‎07-29-2011

Hi Jon,

Below is the topology...

LAN-CORE_6500 ---------------------- 7613FWSM-----------------------------------MSFC---------------WAN-ISP----

(10.101.101.250) (10.101.101.254) / (10.100.100.254) (10.100.100.253)

192.168.200.0/24 is another vlan in the LAN-CORE.

Julio Carvajal · ‎07-28-2011

Hello Abdulah

You want to be able to communicate on the same interface beetwen host on different networks.

My question would be, Its the FWSM the default gateway of the 192.168.200.0 network as well?

Because if not we might need to add a U-Turning

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

abdulrasheeth · ‎07-29-2011

Hi,

I already allowed everything from inside as below,

access-list inside_access_out extended permit ip any any

access-group inside_access_out in interface inside

access-group inside_access_out out interface inside

abdulrasheeth · ‎08-01-2011

FWSM is not the default gateway for 192.168.200.0. So how i do the U-Turning

abdulrasheeth · ‎08-11-2011

Hi all,

I got the solution...

The problem is asymmetric network topology. The request was going through the firewall, but the return traffic reaches the server directly via core switch. hence when further packets go through the fwsm was deny because it did not know about the connection.

I used the tcp-state-bypass option for this traffic in the MPF and it solved the problem.

Thanks for all your replies...